Granting User Privilege in Radosgw S3
So, if you are using Ceph radosgw to provide yourself an S3 endpoint; Good for you!
That’s cool!
… isn’t it?
Except…. well….
How do you make stuff accessible?
Sure, you can use the s3cmd
tool, to push and pull assets; but making stuff accessible thru plain http(s) requests can be a bit weird.
While the documentation is …. extensive1, it’s a bit light on explicit ‘how to do the thing’ kinds of information.
I suppose that’s because of how complex it is, in general, but…. that’s neither here nor there.
thru some Digging on Stack Overflow2, in conjunction with the AWS Configuration Examples3, I figured out the following.
hope it helps ya!
To make stuff wide-open, you’d upload a bucket policy to set the bucket permissively:
applying a bucket policy #
- Suppose your s3 endpoint is
dog.wolfspyre.io
- Suppose your bucket is
thebucket
- Suppose we save the following json file as ‘
thebucket_is_wide_open.json
’.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetBucketWebsite",
"s3:ListBucket",
"s3:GetBucketCORS"
],
"Resource": [
"arn:aws:s3:::thebucket",
"arn:aws:s3:::thebucket/*"
]
}
]
}
okay… cool…. but how does one…. uh… apply this?
the simplest way for most people to do this is with the s3cmd tool, which is configured by an .s3cfg
config:
- Suppose we have our
.s3cfg
file saved as ‘.s3cfg_thebucket
’
[default]
#upstream_website_endpoint = http://%(bucket).-%(location)s.amazonaws.com/
#website_endpoint = http://dog.wolfspyre.io/
website_error = error.html
website_index = index.html
host_base = dog.wolfspyre.io
host_bucket = %(bucket).dog.wolfspyre.io
access_key = someNICEl0ngHIGHentropyKeyHere
secret_key = evenLONGERnic3andH1gh3ntropyStr1ngH3R3
Applying it is as simple as:
s3cmd -c ~/.s3cfg_thebucket setpolicy thebucket_is_wide_open.json s3://thebucket
Neat… but now… what if we want to let users USERNAMEA
, USERNAMEB
, and USERNAMEC
write to the bucket as well:
lets save this one as ‘some_users_write-thebucket_is_open.json
’
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetBucketWebsite",
"s3:ListBucket",
"s3:GetBucketCORS"
],
"Resource": [
"arn:aws:s3:::thebucket",
"arn:aws:s3:::thebucket/*"
]
},
{
"Sid": "AuthorizedFullControl",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/USERNAMEA",
"arn:aws:iam:::user/USERNAMEB",
"arn:aws:iam:::user/USERNAMEC"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::thebucket",
"arn:aws:s3:::thebucket/*"
]
}
]
}
s3cmd -c ~/.s3cfg_thebucket setpolicy some_users_write-thebucket_is_open.json s3://thebucket
neat eh?